THE CUSTOMER ACCOUNT DATA ENGINE 2 DATABASE
WAS INITIALIZED; HOWEVER, DATABASE AND SECURITY RISKS REMAIN, AND INITIAL
TIMEFRAMES TO PROVIDE DATA TO THREE DOWNSTREAM SYSTEMS MAY NOT BE MET

Highlights

Final
Report issued on September 27, 2012

Highlights
of Report Number:† 2012-20-109 to the Internal Revenue Service Chief Technology
Officer.

IMPACT ON TAXPAYERS

The
overall goals for the Customer Account Data Engine 2 (CADE 2) Program are to
process individual taxpayer account data in a modernized environment and
provide more timely and accurate data to front-line employees.† A transactional
database capable of supporting both tax processing and enterprise-wide data
access is a cornerstone of that effort.† In Transition State 1, the IRS will
establish the database and processes will be developed to keep the database
current with daily account information from the Individual Master File.† The
database will be able to provide daily updates to the IRSís key customer
service database, the Integrated Data Retrieval System, and it will be able to
populate the key compliance analytical database, the Integrated Production
Model, with more timely data.† Incomplete, inaccurate, and unsecured data on
the CADE 2 database will prevent the IRS from providing quality customer
service and could compromise taxpayer data.

WHY TIGTA DID THE AUDIT

The
overall objective was to review the CADE 2 database implementation and ensure
that the database was secure, accurate, and complete, and that prior weaknesses
identified were corrected or mitigated.† This review addresses the major management
challenge of Modernization.

To address the issues identified during testing, the IRS
developed version 2.2 of the CADE 2 database.† The IRS spent up to $22.3
million on database implementation including developing version 2.2 of the CADE
2 database from January through July 2012.† The IRS does not track cost at the
development activity level; therefore, TIGTA could not determine the actual
cost for version 2.2 of the CADE 2 database.†

Enhanced
security is one of the goals of the CADE 2 Program.† CADE 2 database security
will be implemented via a role-based access model and the Resource Access
Control Facility.† However, vulnerabilities in the JAVA code could result in
loss of sensitive taxpayer information, and remediation of identified security
weaknesses is ineffective.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer:†
1) ensure
the CADE 2 Program does not exit Transition State 1 until the CADE 2 database can
provide accurate and complete data to the three downstream systems; 2) ensure the
database design process follows the Internal Revenue Manual and validate that
the database design meets business requirements; 3) realign data validation and
testing efforts with business functionality and processes; 4) ensure JAVA code
weaknesses are remediated; 5) ensure privileged accounts are documented,
administered, monitored, and reviewed in accordance with the Internal Revenue
Manual or removed from the system; 6) ensure sample tables and default ports
are disabled or removed; and 7) enhance the Online 5081 system.

The IRS agreed with three and partially
agreed with one of the seven recommendations and corrective actions are
planned.† The IRS disagreed with three recommendations and TIGTA provided
comments in the audit report.